Discover and read the best of Twitter Threads about #OBTS

Most recents (8)

RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) ๐ŸŽ๐Ÿ›โ˜ ๏ธ

One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"

...let's dive in! 1/n ๐Ÿงต
We'll start with 3CXDesktopApp-18.12.416.dmg
(SHA 1: 3DC840D32CE86CEBF657B17CEF62814646BA8E98)

It contains a *notarized* app ("3CX Desktop App.app") ...meaning Apple checked it for malware "and none was detected" ๐Ÿ˜œโ˜ ๏ธ 2/n
This app is massive - 381mb ๐Ÿคฏ
...let's focus on libffmpeg.dylib
found in the App's /Contents/Frameworks/Electron\ Framework.framework/Versions/A/Libraries directory

(SHA 1: 769383fc65d1386dd141c960c9970114547da0c2)

It was submitted to VT today:
virustotal.com/gui/file/a64faโ€ฆ 3/n
Read 33 tweets
I've just posted slides from my #OBTS v5 talk: "Making oRAT, Go" ๐ŸŽ๐Ÿ€

speakerdeck.com/patrickwardle/โ€ฆ

After creating a custom C&C server, we can uncover the malwareโ€™s full capabilities - simply by asking (tasking) the right questions! ๐Ÿคญ
1๏ธโƒฃ First, we must understand how the malware figures out how to find its C&C server - so we can coerce it to talk to our C&C instead!

As this (encrypted) info is embedded within the malware, we can write a simple decryptor/encryptor to (re)configure the malware ๐Ÿ‘พ๐Ÿ”“โœ๐Ÿผ๐Ÿ”’ โ†’ ๐Ÿ–ฅโœ…
2๏ธโƒฃ Second, we need to understand its protocol, so we can task the malware to reveal its capabilities.

A brief triage of the malware's binary shows us it sets up a local server and registers various "routes" - taskable via requests from a remote C&C server.
Read 7 tweets
Pretty excited for this talk by @patch1t about a one-click macOS takeover, starting out mentioning P0โ€™s iMessage exploit and NSOโ€™s Pegasus spyware. #HITB2022SIN
In his talk, @patch1t also gives a shoutout to @patrickwardle for this 2021 blog post about bypassing macOS's file quarantine, gatekeeper, and notarization requirements. #HITB2022SIN objective-see.org/blog/blog_0x64โ€ฆ
The story of CVE-2021-30657 was one of my favorite talks at #OBTS last year, esp. the way @cedowens, @jbradley89 and @patrickwardle talked through the steps to finding the initial flaw.
Read 4 tweets
"Objective by the Sea" the Mac Security Conference, is back for v5.0!! ๐Ÿ˜๐Ÿฅณ #OBTS

๐Ÿ“ Spain (near Barcelona)
๐Ÿง‘๐Ÿปโ€๐Ÿ’ป Trainings: Oct 3rd - 5th
๐Ÿง‘๐Ÿปโ€๐Ÿซ Presentations: Oct 6th - 7th

Submit a talk or register today:
objectivebythesea.org/v5/index.html

...we can't wait to see y'all in sunny Spain! ๐Ÿ‡ช๐Ÿ‡ธ
#OBTS v5.0 will be held at the lovely Le Mรฉridien Ra Beach Hotel & Spa.

Only ~30 minutes south of Barcelona, the venue is located right on the sunny Mediterranean Sea โ˜€๏ธ๐ŸŒด

We've negotiated a discounted group rate, so book thru the conference site: objectivebythesea.org/v5/location.htโ€ฆ
We're also stoked to offer new and expanded (3-day) trainings at #OBTS v5.0:

Training 0x1: "The Art of Mac Malware: Detection & Analysis" by @patrickwardle

Training 0x2: "Arm Reverse Engineering & Exploitation" by @Fox0x01 ๐ŸฆŠ

For more info/to sign up:
objectivebythesea.org/v5/trainings.hโ€ฆ
Read 9 tweets
Was digging through court records related to Vault 7 and found this tidbit. The FBI used the wifi at Starbucks to download the leak. #OBTS
If you want to better understand how government agencies, such as the CIA, create and use cyber tools, there are some helpful bits in the #Vault7 court records. Here's one example. #OBTS
Makes sense for the CIA (and others, really) to have a code library of basic components in a state that can be readily used. #Vault7 #OBTS
Read 6 tweets
Ready for the Mac malware analysis training with @patrickwardle. #OBTS ๐ŸŽ‰
Day two of training, currently talking about Appleโ€™s native OS X encryption scheme. #OBTS
Here's a 2013 blog post about Apple's native encryption scheme, h/t @patrickwardle. #OBTS cerbero-blog.com/?p=1311
Read 3 tweets
โš ๏ธ Latest macOS 0day (credit: Park Minchan)
...bypasses File Quarantine, Gatekeeper, etc.

Advisory:
๐Ÿ“ "macOS Finder RCE" ssd-disclosure.com/ssd-advisory-mโ€ฆ

๐Ÿ˜… Confirmed Big Sur & Monterey are vulnerable

๐Ÿงฎ I've posted Park's PoC (pops Calc) if you'd like to play: objective-see.com/downloads/PoCsโ€ฆ
The PoC once downloaded still has to be manually executed by the user.

macOS should, via File Quarantine/Gatekeeper, alert/warn/block as this is an 'executable' item from the Internet.

Apple attempted to patch (blocking file:// prefix), but File:// or fIle:// still work ๐Ÿคฃ๐Ÿคฃ๐Ÿคฃ Image
โ„น๏ธ The initial patch, will as noted, block items that attempt to abuse the "file://" prefix: (but not "File://" etc.): Image
Read 4 tweets
[ #OBTS News ]

Objective by the Sea v4.0 (2021):
objectivebythesea.com/v4/

๐Ÿ‘จโ€๐Ÿซ Training: 09/28 - 09/29
๐Ÿ’ฌ Presentations: 09/30 - 10/01

๐Ÿ“ Location: Maui, Hawaii, USA

Can't wait to see y'all in lovely Maui!! โ˜€๏ธ๐ŸŒด
...more details (venue, registration, etc.) soon!
#OBTS v4.0 Call For Papers now open!

Themes of interest are ๐ŸŽ-security topics, such as:
โš™๏ธ OS internals
๐Ÿฆ  Malware analysis
๐Ÿ› ๏ธ Tool making & breaking
๐Ÿ› Bug discovery & exploitation

CFP details: objectivebythesea.com/v4/cfp.html
We've selected the newly remodeled beachside Westin Resort & Spa, in Ka'anapali Maui to host #OBTS v4.0๐Ÿ–๏ธ ๐Ÿ˜Ž

We've also secured a block of rooms at a massively discounted group rate. These will sell out, so don't wait (too long)!

More info / to book: objectivebythesea.com/v4/attending.hโ€ฆ ImageImageImageImage
Read 7 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!